1
0
mirror of https://github.com/Tygs/0bin.git synced 2023-08-10 21:13:00 +03:00
Go to file
2012-05-08 17:52:17 +07:00
docs Improved readme, added basic documentation 2012-05-07 20:08:58 +07:00
libs Added options to the server script 2012-05-01 19:21:21 +07:00
src Added email obfuscation and dynamic menu entry 2012-05-08 17:52:17 +07:00
static Added email obfuscation and dynamic menu entry 2012-05-08 17:52:17 +07:00
views Added email obfuscation and dynamic menu entry 2012-05-08 17:52:17 +07:00
__init__.py Give uploading hint, added header to python files andimproved data handling a little 2012-05-07 13:06:09 +07:00
.gitignore 404 error are now in red with a more explicit message. Local settings support have been added, and debug default value set to false 2012-05-02 16:36:57 +07:00
README.md Improved readme, added basic documentation 2012-05-07 20:08:58 +07:00
screenshot.png Added screenshot and modified README 2012-05-01 21:18:32 +07:00
settings.py Added email obfuscation and dynamic menu entry 2012-05-08 17:52:17 +07:00
start.py Merge branch 'master' of sametmax-github:sametmax/0bin 2012-05-07 17:44:00 +07:00

0bin

Have a try here: 0bin.net

0bin is a client side encrypted pastebin that can run without a database.

It allows anybody to host a pastebin while welcoming any type of content to be pasted in it. The idea is that one can (probably...) not be legally entitled to moderate the pastebin content as he/she has no way to decrypt it.

It's an Python implementation of the zerobin project. It's easy to install even if you know nothing about Python.

How it works

When creating the paste:

  • the browser generate a random key;
  • the pasted content is encrypted with this key using AES256;
  • the encrypted pasted content is sent to the server;
  • the browser receives the paste URL and add the key in the URL hash (#).

When reading the paste:

  • the browser makes the GET request to the paste URL;
  • because the key is in the hash, the key is not part of the request;
  • browser gets the encrypted content et decrypt it using the key;
  • the pasted decrypted content is displayed and code is colored.

Key points:

  • because the key is in the hash, the key is never sent to the server;
  • therefor it won't appear in the server logs;
  • all operations, including code coloration, must happens on the client;
  • the server is no more than a fancy recipient for the encrypted data.

Technologies used

Known issues

  • 0bin use several HTML5/CSS3 features that are not widely supported. In that case we handle the degradation as gracefully as we can.
  • The "copy to clipboard" feature is buggy under linux. It's flash, so we won't fix it. Better wait for the HTML5 clipboard API to be implemented in major browsers.
  • The pasted content size limit check is not accurate. It's just a safety net, so we thinks it's ok.
  • Some url shorteners and other services storing URLs break the encryption key. We will sanitize the URL as much as we can, but there is a limit to what we can do.

What does 0bin not implement?

  • Request throttling. It would be inefficient to do it at the app level, and web servers have robust implementations.
  • Hash collision prevention: the ratio "probability it happens/consequence seriousness" is not worth it
  • Comments: for now. It's on the todo list.